.jpg)
I was looking for uproarious laughter and maybe a round of applause with my joke about financial regulation... but the audience refused to comply.
Ba dum tss.
Jokes about cybersecurity are about as popular as jokes about financial regulation and a data breach isn't funny at all. Nonetheless, I imagine the Kremlin was savouring a quiet smile in the wake of the SolarWinds hacking scandal when the SEC issued a letter to market participants, expertly skewering them on the horns of a prisoner's dilemma, and US "security leaders" demurred over retaliation, notwithstanding the US government itself was significantly exposed to the attack:
U.S. security leaders have long expressed caution about deploying offensive cyberattacks to cripple adversaries’ critical infrastructure or expose embarrassing information on their leaders, for fear of triggering an escalating conflict that could see foreign hackers shutting off the lights in the United States. (Politico report, emphasis added.)
Yeah, okay, so the Administration won't release that video clip of Vyacheslav Volodin dressing up as a character from Shrek and being paddled by his secretary (well, it might have happened...) but they will make life quite a bit less comfortable for US issuers.*
That'll show 'em.
Last month, the SEC sent investigative letters to a number of public issuers and investment firms seeking voluntary information by last week on whether they had been victims of the hack and failed to disclose it. The agency also sought information on whether public companies that had been victims had experienced a lapse of internal controls, and related information on insider trading. Answers to related FAQs were subsequently published on the SEC website. Maybe it's just me, but I thought the answers had a whiff of the "cloak and dagger" about them:
Q: Where did you hear that recipients may have been affected by the breach?
A: Because our investigations are confidential, we are not in a position to disclose other investigative steps that we have taken to this point.
A-a-a-anyways, what of that prisoner's dilemma?** You remember the poser, of course: two prisoners can individually rat each other out for, say, murder in a kind of zero sum game in which one goes to jail for life and one gets off scot free, with no guarantees as to where the luck of the draw will fall; or they can keep schtum and both serve a fractional sentence for the less serious offence on which the police relied when they were arrested. The challenge facing the prisoners is that they're being interviewed separately with no opportunity for coordination and each must second-guess what the other will do. The worst outcome for A is to keep quiet and find out that B has ratted him out but, if he gives B up, then he's admitting he has knowledge of the murder and B will certainly try to turn the tables on him.
Well, as with the classic conundrum, the SEC had something of a sweetener to offer in the SolarWinds case: cooperate with us and...
Subject to certain limitations and conditions, the Commission’s Division of Enforcement will not recommend that the Commission pursue enforcement actions against recipients that meet the requirements set out in the Letter that recipients received with the voluntary request for information.
Or, in common market parlance: if you self-report, you will be rewarded with the certainty of a declination on any breaches of your systems and controls which come to light in association with the SolarWinds Event. This benefit, however, does not extend to any conduct associated with "Other Compromises" (which are to be disclosed in answer to Question 5 in the letter):
The benefits described in the Letter relate only to the SolarWinds Compromise. As described in the Letter, conduct involving Other Compromises would be considered self-reported conduct outside of the scope of the SolarWinds Event Response and reviewed on a case-by-case basis.
Hmm. Let's assume, for the purposes of illustration, the existence of an issuer ("S.L.Y. Inc") who has experienced two cybersecurity breaches: one as a result of the SolarWinds Event and another during a putative LunarWinds ransomware attack, within the timeframe identified in the SEC letter. The optimal outcome for SLY would be to receive the SolarWinds declination but avoid scrutiny of its conduct relating to the LunarWinds Event, because admitting "Other Compromises" might result in a penalty if the SEC discovers a lapse in SLY's accounting systems and controls.
So, keeping quiet about breaches associated with the LunarWinds Event may seem to make a kind of self-serving sense but the challenge for SLY is that the SEC has sent identical letters to other market participants, any one of whom might reveal the existence of a second ransomware attack affecting a bunch of companies with SLY's profile. And, of course, just as with the traditional prisoners' dilemma, coordinating a wall of silence is impossible even if SLY knows who else has received the letter. If the SEC hears about the LunarWinds Compromise from another market participant and the agency's investigations leads it to conclude that SLY experienced a breach but didn't disclose it in when responding to the SolarWinds letter, not only will the SolarWinds declination be invalidated but the SEC's review of any lapse of controls associated with the LunarWinds Event will likely be aggressive and uncompromising--the worst possible outcome. So, SLY may have to settle for the traditional game theory fallback: 'fessing up to what happened and hoping that investigators are not only willing to blame the situation on someone else (in this case: the hackers) but also take a generous view of their own conduct. Just how did a criminal act by Russian operatives result in US issuers wondering whether to call their lawyers on the other side of a figurative two-way mirror like this? 🤷♀️
Ah well, perhaps the US administration also sent letters to compromised Russian officials:
Subject to certain limitations and conditions, we will not pursue enforcement actions (*wink* *nudge* LOL!) against Russian state representatives who fully disclose all hostile activities by Russian actors against US national interests in the stated period.
Let's hope so.
* In April, President Biden ordered the Treasury to designate six Russian technology companies believed to be providing support to the Russian Intelligence Service (SVR) for sanctions.
** "Prisoner's Dilemma" is reference to a device widely taught in game theory and in no way is it intended to carry any implication as to to the enforcement liability of market participants who received the letter.
Kommentarer